Enterprise cybersecurity leaders are still underselling themselves to the board and the value they can offer the business, making it harder to engage business leaders on cyber, according to experts speaking at Infosecurity Europe.
Information Security Forum distinguished analyst, Paul Watts, argued that although board leaders are nominally more engaged on security than they used to be, they often lose focus due to commercial and other pressures, which is where the CISO should step in.
However, too often, CISOs revert to type and box themselves into a corner, where the function continues to be viewed purely in governance, risk and compliance (GRC) terms.
“If the business continues to see us about just risk and compliance, we’ll always be holding on to a ticking time bomb of a breach event. Narrowing our mandate is bad idea,” he argued.
Read more on Infosecurity Europe: How to Weather the Coming Cybersecurity Storm.
Valerie Abend, global cyber strategy lead at Accenture, highlighted several other mistakes CISOs often make in their interactions with the board, including data overload, using scare tactics, overconfidence, not asking executives enough questions, and not taking time to understand individual business units or explain how security can add value.
“It’s incredibly important as security pros that you get a deep understanding of processes across critical business functions, talk their language and then explain how you can provide value,” she explained.
Watts agreed, arguing that getting board engagement will in many cases require CISOs to rejuvenate the security brand, lead by example and be better negotiators and marketers.
“We exist right across the business value chain. We need to celebrate our successes and market where we can bring that value to a multitude of places across that value chain,” he said. “When we add or lose security controls, there are major implications for cost and agility, so working in isolation is defeating what the business is trying to do.”
In the experience of Easyjet CISO, Paul Midian, articulating cybercrime in business terms can be an eye-opener for board members. Once they realize they’re effectively being attacked by a rival business and understand which assets are at risk and why, it makes the whole discussion easier for them to understand, he explained.
Penguin Random House director of information security, Deborah Haworth, added that CISOs should reach out to their community more often, as it can be a fantastic resource to help advise on tactics for boardroom engagement.
Most importantly, security bosses shouldn’t leave their relationship-building efforts until the board meeting, she argued.
“These are the senior colleagues you’re working with,” said Haworth. “You have to have an ongoing engagement with them, because when cyber-criminals strike you’ll need to have an open and trusting conversation, and if you’re strangers you may not be able to understand and help each other.”